SOC 2 Academy: Documentation of Inputs
Processing Integrity Criteria 1.5
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.5 says, “The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.” Let’s take a look at why your organization needs documentation of inputs if you’re pursuing SOC 2 compliance.
Why Do You Need Documentation of Inputs?
Like with the other criteria assessed during a SOC 2 audit, an auditor will want to see that an organization has effective documentation of inputs to determine whether or not the organization complies with processing integrity criteria 1.5. This means that organizations who include the processing integrity category will need to demonstrate that they have policies and procedures in place regarding how they store inputs, items in processing, and outputs in a complete, accurate, and timely manner. Why? Because if there’s ever an instance where the integrity of processing activities is called into question, there needs to be a process that’s documented and readily available to verify when an action took place and who completed it.
Complying with Processing Integrity Criteria 1.5
Auditors will use the following points of focus to determine compliance with processing integrity criteria 1.5:
- Does the entity protect stored items from theft, corruption, destruction, or deterioration?
- Does the entity archive and protect system records?
- Does the entity have procedures in place to store data completely and accurately?
- Does the entity create and maintain records of system storage activities?
More SOC 2 Resources
Processing integrity 1.5 of the SOC 2 Trust Services Criteria states that the entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives. What is this about? This is making sure that everything that was relied upon when the process occurred is still there and available for review if there ever had to be an audit or examination to determine where a piece of information came from. This is especially true in cases of fraud where perhaps someone tried to execute fraud in a payment process or the cutting of a check out of a system, and it’s imperative to go back and see who took what action when. You want to have those records archived and available in a way so that you can prove that process occurred based on the information that was input and provided every step of the way.